Among the 14 key areas of threat identified in Intel Security’s recently released 2016 Threat Predictions report was that of payment systems, and in particular the proliferating scourge of online credentials theft.

The report, published by McAfee – now part of Intel – listed payment systems along with cloud services, wearables, automobiles, hactivism and ransomware as an area under threat over the next 12 months. A skewed focus on card transactions and the rise of alternate payment methods, says the report, have left many companies napping.

New systems, new avenues for theft

According to the report, we continue to place a significant security focus on vulnerabilities associated with credit and debit card transactions. This makes sense given that most digital transactions use these forms of payment, although there’s been little change in relation to how these vulnerabilities are exploited.

“Most attacks approach payment card theft in the same way they have for the past 10 years,” it states, “by attacking payment mechanisms or the databases containing card data.” Once attackers have obtained the card data, they sell it on as quickly as they can.

“Today, the number of alternate payment methods is rather dizzying,” the report observes, “from Bitcoins, ApplePay, credit cards, and debit cards, to online payment services.” This growth in alternate payment methods means that the number attack surfaces have multiplied, increasing the number of possible targets open to cyber thieves.

“Given the plethora of payment methods, most of which still require usernames and passwords, credentials have become very valuable,” it says. To steal credentials, the cybercriminals are targeting the consumers directly because they are “both the source of the credentials and the weakest link in the payment process.”

Intel predicts that in 2016, payment system cybercriminals will increasingly focus their energies on stealing credentials from consumers. “We think that they will leverage traditional, time-proven mechanisms including phishing attacks and keystroke loggers, but new methods will emerge too.”

ATMs, POS and mobile payments at risk

In its 2016 Security Predictions: The Fine Line report, Trend Micro suggests that it will be in the mobile space where payments are most exposed. Trend Micro states that next generation payment methods will “pique the interest of online criminals from EMV credit cards to mobile wallets, challenging supposed ‘safer’ payment platforms.” Mobile malware is expected to grow “given the lax user behaviour and the availability of third-party app stores in China.”

In its 2016 predictions, the Kaspersky Security Bulletin highlights the many examples of attacks on point-of-sale systems and ATMs over the past year, including the Carbanak heist that pilfered up to one billion US dollars during a two-year period. A multinational gang of cybercriminals from Russia, Ukraine and other parts of Europe, and China was allegedly responsible for the crime.

“In the same vein,” says the Kaspersky report, “we expect cybercriminals to set their sights on novelties like alternate payment systems (ApplePay and AndroidPay) whose increasing rate of adoption should offer a new means of immediate monetization.”

Remove enrolment from the equation?

PwC’s Global State of Information Survey 2016 points out that there are lessons to be learnt from the roll out of ApplePay and similar services. Some of the initial challenges of Apple Pay, it suggests, weren’t necessarily issues with the security of the phone or the credentials, but rather the process around enrolment.

“When you have these new payment models, you have to look at the end- to-end lifecycle of enrolling a user, transactions that flow through the system and de-enrolling users,” Joe LoBianco of CIBC stated in the report. “When there are new processes, the bad guys will try to exploit human weaknesses just as much as technological weaknesses.”

The transmission of tokens to merchant systems is one approach that the survey considers to be fundamentally secure because it avoids the need to store and transmit credit card information. While this may be the case, it suggests that completely removing the payment process from the user experience is the ideal end state.

In this regard, it quotes Guido Sacchi of Global Payments as citing the seamless process used by ride-hailing service Uber – where the merchant uses a payment card on file, and customers’ cards are automatically billed. “If there is one thing that is a takeaway from all this,” says Sacchi, “it’s that you need to look at both security and user experience. The winners in the market place are going to be those that strike the best balance between the two.”

Picking up on these pressing themes, the annual Payment Security Summit will take place on 26 and 27 April 2016 in London. The summit will bring together the entire payments ecosystem to showcase the range of tools and avenues for addressing cyber security threats specifically in the emerging and alternative payment markets.

The amount of reporting and information being produced internationally about these emerging issues reflect disquiet in relation to the extent to which criminals are exploiting new payment technologies ahead of the identification of adequate security countermeasures. As more new payment platforms emerge, it appears that fortune will most likely continue to favour the cautious.